[wp-hackers] Limit Login Attempts

Chip Bennett chip at chipbennett.net
Tue Apr 16 14:53:34 UTC 2013

If 90,000 unique IP addresses are attempting a brute-force attack, in which
no single IP address makes more than a handful of attempts, how effective
will it be to limit login attempts by IP address?

I would support the inclusion of Limit Login Attempts in core, based on its
utility; however, it won't do any particular good in dealing with the full
potential of the current attack.

On Tue, Apr 16, 2013 at 10:36 AM, Chris Williams <chris at clwill.com> wrote:

> I made a rather reasonable proposal, and received plenty of advice, but
> the proposal never was vetted.  Now the issue of brute force attacks has
> even received Matt's attention:
> http://ma.tt/2013/04/passwords-and-brute-force/
> On the dozen or so WP sites I manage, wp-login.php is frequently among the
> top 10 most often accessed pages.  Yes, I have removed the admin account.
>  Yes, I have robust passwords.  Yes, I have plugins to help.  Yes, I am
> playing whack-a-mole and blocking the IPs one-by-one.  But brute force
> attempts to login are happening at an alarming rate.
> Wordpress should include login attempt limiting as part of core:
>  *   Logging into WP is a core feature
>  *   Usernames and passwords are a core part of WP security
>  *   Password strength metering is a core feature
>  *   Limiting guesses is a key way to defend against brute force attacks
> Is this the end-all-be-all to WP security?  No, of course not.
> But much of WP security depends on not being able to get access to
> privileged accounts.  And limiting login attempts is a simple,
> straightforward, non-invasive way to dramatically improve that security.
>  It has almost no impact on the good guys and virtually eliminates a common
> exploit path.
> Not every WP site allows comments, so having Akismet a plugin makes sense.
>  Many other other plugins make sense as plugins.  But logging into WP is an
> essential facility.
> Limiting login attempts should be part of core.
> Chris
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list